b'               f\xc2\xa0\n\n               \xc2\xa0\n\n               \xc2\xa0     U.S.\xc2\xa0ENVIRONMENTAL\xc2\xa0PROTECTION\xc2\xa0AGENCY\xc2\xa0\n\n               \xc2\xa0     OFFICE\xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n\n\n\n\n                     EPA Needs to Improve\n                     Safeguards for Personally\n                     Identifiable Information\n                     Report No. 14-P-0122                    February 24, 2014\n\n\n\n\nScan this mobile\ncode to learn more\nabout the EPA OIG.\n\x0cReport Contributors:\t                                Rudolph M. Brevard\n                                                     Cheryl Reid\n                                                     Neven Soliman\n                                                     Nii-Lantei Lamptey\n                                                     Rodney T. Allison\n\n\n\n\nAbbreviations\n\nAPO             Agency Privacy Officer\nDIB             Data Integrity Board\nDNP             Do Not Pay\nEPA             U.S. Environmental Protection Agency\nFY              Fiscal Year\nLPO             Liaison Privacy Official\nNIST            National Institute of Standards and Technology\nOEI             Office of Environmental Information\nOIC             Office of Information Collection\nOIG             Office of Inspector General\nOMB             Office of Management and Budget\nPII             Personally Identifiable Information\n\n\nCover photo:\t      EPA OIG photo depicting an individual stealing someone else\xe2\x80\x99s social security\n                   card and driver\xe2\x80\x99s license.\n\n\n\n Hotline \t                                      Suggestions for Audits or Evaluations\n To report fraud, waste or abuse, contact       To make suggestions for audits or evaluations, \n\n us through one of the following methods:       contact us through one of the following methods:\n\n\n email:    OIG_Hotline@epa.gov                  email:    OIG_WEBCOMMENTS@epa.gov\n phone:    1-888-546-8740                       phone:    1-202-566-2391\n fax:      1-202-566-2599                       fax:      1-202-566-2599\n online:   http://www.epa.gov/oig/hotline.htm   online:   http://www.epa.gov/oig/contact.html#Full_Info\n\n write:\t   EPA Inspector General Hotline        write:    EPA Inspector General Hotline \n\n           1200 Pennsylvania Avenue, NW \n                 1200 Pennsylvania Avenue, NW\n           Mailcode 2431T                                 Mailcode 2431T \n\n           Washington, DC 20460\n                          Washington, DC 20460\n\x0c                        U.S. Environmental Protection Agency \t                                                14-P-0122\n                                                                                                       February 24, 2014\n                        Office of Inspector General\n\n\n                        At a Glance\n\nWhy We Did This Review                EPA Needs to Improve Safeguards for Personally\nThe U.S. Environmental\n                                     Identifiable Information\nProtection Agency (EPA) must\nsafeguard individuals\xe2\x80\x99                What We Found\nPersonally Identifiable\nInformation (PII) consistent with    The EPA has not created formal policies and          The lack of stronger privacy\nthe Privacy Act, the                 procedures for several processes that contribute     program processes and\nE-Government Act of 2002,            to the safeguarding of PII and that ensure           procedures places the\nOffice of Management and             compliance with federal requirements. The EPA        EPA\xe2\x80\x99s sensitive PII at a\nBudget (OMB) directives, and         is using an inaccurate list of systems that          greater risk of compromise\nother federal requirements.          contain sensitive PII to report to OMB and the       and misuse.\nWithout the proper security          Chief Information Officer. This listing was not\ncontrols, the PII is vulnerable to   up-to-date and it contained incorrect data about systems. Having outdated\nunauthorized access and use.         information may lead OMB and agency management to make decisions that may\n                                     not be applicable to the agency\xe2\x80\x99s needs. The lack of formal policies and\nWe sought to determine               procedures and management oversight over agency processes for safeguarding of\nwhether the EPA has                  PII does not ensure employees are aware of their responsibilities for protecting PII.\ndeveloped and implemented\npolicies, procedures and             The PII training process covered 50 percent of the prescribed topics and did not\nprocesses for protecting             track training of agency personnel. Federal guidance provides specific training\nsensitive PII in accordance with     topics and directs agencies to train employees on their privacy responsibilities.\nfederal and agency criteria.         The agency had not set up a process to track training completion and had not\n                                     evaluated available privacy training before contracting to develop a new privacy\nThis report addresses the            training program. As a result, EPA employees are only trained on a portion of the\nfollowing EPA theme:                 requirements and management is unable to assess whether all employees have\n                                     been trained.\n \xef\x82\xb7 Embracing EPA as a high\n   performing organization.           Recommendations and Planned Corrective Actions\n\n                                     We recommend that the EPA implement a \xe2\x80\x9crules and consequences\xe2\x80\x9d procedure\n                                     for safeguarding PII; develop policies and procedures for matching programs;\n                                     develop and implement a process for maintaining an accurate, current listing of\n                                     systems that contain sensitive PII; implement a process to train individuals who\n                                     access PII; and conduct reviews of available training before the agency enters\n                                     into contracts.\n\n                                     The agency concurred with the report\xe2\x80\x99s recommendations and provided\n                                     corrective action plans, which we found acceptable. The agency initially did not\n                                     agree with recommendation 6 of the draft report and proposed an alternative\nFor further information,             corrective action. We met with agency officials and revised recommendation 6,\ncontact our public affairs office    and the agency concurred with the revised recommendation.\nat (202) 566-2391.\n\nThe full report is at:                Noteworthy Achievements\nwww.epa.gov/oig/reports/2014/\n20140224-14-P-0122.pdf               The EPA had created a privacy program as we recommended in a prior Office of\n                                     Inspector General audit and provided a memorandum to us certifying completion\n                                     of report recommendations.\n\x0c                        UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                     WASHINGTON, D.C. 20460\n\n\n                                                                                       THE INSPECTOR GENERAL\n\n\n\n\n                                           February 24, 2014\n\nMEMORANDUM\n\nSUBJECT:       EPA Needs to Improve Safeguards for Personally Identifiable Information\n               Report No. 14-P-0122\n\nFROM:          Arthur A. Elkins Jr.\n\nTO:            Renee Wynn, Acting Assistant Administrator and Chief Information Officer\n               Office of Environmental Information\n\nThis is our report on the subject audit conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the problems\nthe OIG identified and corrective actions the OIG recommends. The Office of Information Collection is\nthe primary office responsible for the agency program that we reviewed during this audit. This report\nrepresents the opinion of the OIG and does not necessarily represent the final EPA position. The agency\nconcurred with all the report\xe2\x80\x99s recommendations and provided high-level planned corrective action plans\nwith milestone dates, which we found acceptable.\n\nAction Required\n\nWe will close this report upon issuance in our audit tracking system based on your response to the draft\nreport. We believe the proposed actions, when implemented, will adequately address the report\xe2\x80\x99s\nfindings and recommendations. Please provide updated information in the EPA\xe2\x80\x99s Management Audit\nTracking System as you complete each planned corrective action or revise any corrective actions and/or\nmilestone dates. If you are unable to meet your planned milestones, or believe other corrective actions\nare warranted, please send us a memorandum stating why you are revising the milestones or why you\nare proposing alternative corrective actions, as required by EPA Manual 2750.\n\xc2\xa0\nIf you or your staff have any questions regarding this report, please contact Richard Eyermann, acting\nAssistant Inspector General, Office of Audit, at (202) 566-0565 or eyermann.richard@epa.gov; or\nRudolph M. Brevard, Director, Information Resources Management Assessments, at (202) 566-0893\nor brevard.rudy@epa.gov.\n\x0cEPA Needs to Improve Safeguards                                                                                                14-P-0122\nfor Personally Identifiable Information\n\n\n                                    Table of Contents \n\n\nChapters\n    1     Introduction ........................................................................................................      1\n\n\n                  Purpose .......................................................................................................    1     \n\n                  Background .................................................................................................       1     \n\n                  Responsible Office ......................................................................................          1     \n\n                  Noteworthy Achievements ...........................................................................                2     \n\n                  Scope and Methodology ..............................................................................               2     \n\n\n    2     EPA\xe2\x80\x99s Documented Processes for Protecting PII Need Improvement ..........                                                  4\n\n\n                  Formal \xe2\x80\x9cRules and Consequences\xe2\x80\x9d Procedure Does Not Exist...................                                        4\n\n                  Agency Lacks Oversight Over a Matching Program ....................................                                5     \n\n                  Mandated Contract Reviews Not Performed ...............................................                            6     \n\n                  Process for Maintaining PII System List Needs Improvement ........................                                 7\n\n                  Conclusion ...................................................................................................     7\n\n                  Recommendations .......................................................................................            7\n\n                  Agency Comments and OIG Evaluation ........................................................                        8\n\n\n    3     Privacy Training Not Well Defined or Tracked ................................................                              9\n\n\n                  Privacy Training Topics Not Covered ..........................................................                     9\n\n                  Privacy Training Not Tracked in Program Offices .......................................                           10 \n\n                  Conclusion...................................................................................................     11     \n\n                  Recommendations .......................................................................................           11 \n\n                  Agency Comments and OIG Evaluation ......................................................                         12 \n\n\n    Status of Recommendations and Potential Monetary Benefits..............................                                         13 \n\n\n\n\nAppendices\n    A     Agency Response to Draft Report....................................................................                       14 \n\n\n    B     Revised Agency Response to Report Recommendations .............................                                           21 \n\n\n    C     Distribution .........................................................................................................    23\n\n\x0c                                  Chapter 1\n\n                                   Introduction\nPurpose\n            We sought to determine whether the U.S. Environmental Protection Agency\n            (EPA) has developed and implemented policies, procedures and processes for\n            protecting sensitive personally identifiable information (PII) in accordance with\n            federal and agency criteria.\n\nBackground\n            The Privacy Act of 1974 sets forth requirements for federal agencies when they\n            collect, maintain or disseminate information about individuals. The act requires\n            that federal agencies (a) collect minimal information necessary on individuals,\n            (b) safeguard the information, and (c) allow individuals to inspect and correct\n            erroneous information.\n\n            It is the responsibility of the agency to provide information security protection for\n            the use and/or disclosure of information collected or maintained by or on behalf\n            of the agency. It is the policy of the EPA to safeguard individuals\xe2\x80\x99 privacy in a\n            manner consistent with the Privacy Act, the E-Government Act of 2002, Office of\n            Management and Budget (OMB) directives and other federal requirements\n            concerning privacy. Without the proper security controls, the PII information\n            collected by agencies is vulnerable to unauthorized access and use.\n\nResponsible Office\n\n            The Office of Information Collection within the Office of Environmental\n            Information (OEI) provides oversight of the EPA\xe2\x80\x99s National Privacy Program.\n            The EPA National Privacy Program provides leadership, direction and support for\n            the agency\xe2\x80\x99s privacy activities by developing policies, procedures, tools and\n            guidance for administering the EPA\xe2\x80\x99s requirements under the Privacy Act, the\n            E-Government Act, the Federal Information Security Management Act, and\n            policy and guidance issued by the President and OMB. The Privacy Act officer is\n            the National Privacy Program manager responsible for coordinating and\n            overseeing the agency\xe2\x80\x99s Privacy Program, coordinating the publication of a\n            system of records notices with program offices, and providing training or training\n            opportunities for all key privacy personnel and agency employees.\n\n\n\n\n14-P-0122                                                                                           1\n\x0cNoteworthy Achievements\n            The EPA had created a privacy program as we had recommended in a prior EPA\n            Office of Inspector General (OIG) audit and provided a memorandum to OIG\n            certifying completion of report recommendations. The EPA created a privacy policy\n            and an agency-wide privacy program Intranet page.\n\n\nScope and Methodology\n            We conducted this audit in accordance with generally accepted government\n            auditing standards. Those standards require that we plan and perform the audit to\n            obtain sufficient, appropriate evidence to provide a reasonable basis for our\n            findings and conclusions based on our audit objectives. We believe that the\n            evidence obtained provides a reasonable basis for our findings and conclusions\n            based on our audit objectives.\n\n            We performed this audit at the EPA headquarters in Washington, D.C.,\n            and collected and reviewed information from other EPA locations from\n            December 2012 through August 2013. We reviewed federal requirements and\n            guidelines associated with the safeguarding of PII and compared them to related\n            internal policies and procedures used by the EPA. We also interviewed the EPA\n            privacy officer, system owners and other agency officials to inquire about their\n            internal processes for safeguarding PII.\n\n            We randomly sampled six systems that contained sensitive PII, requested system\n            documentation, and reviewed compliance with federal and internal policies and\n            procedures for three of the six sampled systems.\n\n            We conducted follow-up on the previous recommendations in an OIG audit report\n            on the EPA\xe2\x80\x99s Privacy Program management controls, EPA Needs to Strengthen its\n            Privacy Program Management Controls, Report No. 2007-P-00035, dated\n            September 17, 2007. We limited our review to determine whether the EPA took\n            steps to implement the identified recommendations. We did not conduct testing to\n            determine the effectiveness of the recommendations. In this prior report, we\n            recommended that the OEI\xe2\x80\x99s Director, Office of Information Collection:\n\n               \xef\x82\xb7\t Establish and formally document key goals and activities for OEI\xe2\x80\x99s\n                  Records, Freedom of Information Act, and Privacy Branch associated with\n                  the EPA\xe2\x80\x99s Privacy Program.\n               \xef\x82\xb7\t Establish and track performance measures associated with OEI\xe2\x80\x99s Records,\n                  the Freedom of Information Act, and Privacy Branch key privacy goals\n                  and activities and measure Privacy Program progress.\n               \xef\x82\xb7\t Update, implement and communicate the EPA\xe2\x80\x99s privacy policies and\n                  procedures and ensure they adequately address key tenets of the Privacy\n                  Program.\n\n14-P-0122                                                                                       2\n\x0c            \xef\x82\xb7\t Develop and implement processes for managing the EPA privacy policies\n               and procedures to ensure they are updated with appropriate changes.\n            \xef\x82\xb7\t Establish a means of making agency privacy policies and procedures\n               accessible to the EPA personnel.\n            \xef\x82\xb7\t Establish a monitoring and oversight process to help ensure that managers\n               and employees are implementing and complying with the established\n               agency privacy policies and procedures.\n\n\n\n\n14-P-0122                                                                                  3\n\x0c                                   Chapter 2\n            EPA\xe2\x80\x99s Documented Processes for Protecting\n                      PII Need Improvement\n             The EPA\xe2\x80\x99s privacy policies and procedures lacked several processes that\n             contribute to the safeguarding of PII and ensure compliance with federal\n             requirements. The OMB and the EPA\xe2\x80\x99s Privacy Policy prescribe the practices for\n             implementing the agency\xe2\x80\x99s privacy program. These processes were deficient\n             because:\n\n                \xef\x82\xb7\t A formal \xe2\x80\x9crules and consequences\xe2\x80\x9d procedure required by OMB\n                   Memorandum 07-16 did not exist prior to us questioning the agency.\n                \xef\x82\xb7\t Policies and procedures that would govern the need for written agreements\n                   in order for the EPA to participate in matching programs with other\n                   agencies and would require employees to communicate matching activities\n                   to the appropriate officials were not created.\n                \xef\x82\xb7\t The EPA did not create oversight processes for ensuring mandated contract\n                   reviews were performed to ensure contracts contain language to make the\n                   provisions of the Privacy Act of 1974 binding on the contractor and the\n                   employees.\n                \xef\x82\xb7\t The EPA is using an inaccurate list of systems that contain sensitive PII to\n                   report to OMB and the Chief Information Officer on a continuous basis.\n                   This listing was not up-to-date and it contained incorrect data about\n                   systems. The agency has not developed a process for reviewing and\n                   updating this list of systems that contain sensitive PII on a timely basis to\n                   ensure accuracy.\n\xc2\xa0\n             Having outdated information, as presented by the listing of systems that contain\n             PII, may lead OMB and agency management to make decisions that may not be\n             applicable to the agency\xe2\x80\x99s needs. The lack of formal policies and procedures, and\n             also management oversight over agency processes for protecting PII, does not\n             ensure employees are aware of their responsibilities for protecting PII in\n             accordance with federal requirements. As a result, employees may inadvertently\n             mistreat, misuse and/or expose PII without proper knowledge of their\n             responsibilities.\n\nFormal \xe2\x80\x9cRules and Consequences\xe2\x80\x9d Procedure Does Not Exist\n             The EPA\xe2\x80\x99s Privacy Policy contains a high level policy statement addressing \xe2\x80\x9crules\n             and consequences\xe2\x80\x9d for protecting PII but needs to publicize specific details via a\n             \xe2\x80\x9crules and consequences\xe2\x80\x9d procedure. OMB Memorandum 07-16 states that each\n             agency is responsible for developing and implementing an appropriate policy\n             outlining the rules of behavior and identifying consequences and corrective actions\n\n\n14-P-0122                                                                                          4\n\x0c            available for failure to follow these rules. In addition, the memorandum states that\n            policy should describe the terms and conditions that affected individuals shall be\n            subject to and identify available corrective actions.\n\n            To comply with the OMB memorandum, the agency developed an Intranet page\n            that contains \xe2\x80\x9crules and consequences.\xe2\x80\x9d Although this Intranet page contained\n            rules of conduct and consequences with regard to safeguarding PII, the agency\n            had not developed the information on the website into an official agency\n            procedure. Using an Intranet Web page to address a procedure requirement does\n            not ensure that agency personnel are aware of the federal requirements.\n            Employees may inadvertently mistreat, misuse and/or expose PII without proper\n            knowledge of their responsibilities and the consequences for noncompliance. \xc2\xa0\n\nAgency Lacks Oversight Over a Matching Program\n\xc2\xa0\n            The agency planned to participate in a matching program without providing\n            needed oversight for ensuring that the required documentation exists and\n            appropriate stakeholders are involved. The Privacy Act of 1974 identifies a\n            matching program as any computerized comparison of two or more automated\n            systems of records or a system of records with non-federal records for the purpose\n            of establishing or verifying the eligibility of (or continuing compliance with\n            statutory and regulatory requirements by) applicants for cash or in-kind assistance\n            or payments under federal benefit programs. The Privacy Act of 1974 requires\n            that a source agency and a recipient agency complete a written agreement before\n            disclosing a record from a system of record for use in a computer matching\n            program. The act also requires that the agency\xe2\x80\x99s Data Integrity Board (DIB)\n            review, approve and maintain all written agreements for matching programs.\n\n            In addition, the EPA\xe2\x80\x99s Privacy Policy states that if the agency is involved in a\n            computer matching program, the EPA must establish a DIB, consisting of senior\n            officials, to oversee and coordinate the implementation of the matching program.\n            Lastly, the EPA Privacy Policy states that the agency privacy officer is\n            responsible for oversight over system manager activities to ensure that all\n            privacy-related, statutory and regulatory requirements are met.\n\n            The Office of the Chief Financial Officer was preparing to transmit a file from the\n            agency\xe2\x80\x99s Compass system into the U.S. Treasury\xe2\x80\x99s Do Not Pay (DNP) Portal on\n            March 31, 2013. The Compass financial system replaced the agency\xe2\x80\x99s Integrated\n            Financial Management System, which was a System of Record. The agency\n            representatives indicated that the System of Record Notice for the Integrated\n            Financial Management System may still be used for Compass. The EPA never\n            identified the DNP initiative as a likely matching program. In addition, a written\n            matching agreement between the EPA\xe2\x80\x99s financial system and the U.S. Treasury\xe2\x80\x99s\n            DNP Portal had not been initiated. Also, the agency has not provided coordination\n            or oversight to communicate the need for the DIB to convene in order to oversee\n\n\n14-P-0122                                                                                          5\n\x0c            the implementation of this matching program. Lastly, system owners for the data\n            being transferred were not aware of the DIB\xe2\x80\x99s role in matching programs.\n\n            The EPA has not created written procedures that require a written matching\n            agreement before the agency engages in a matching program that describes how\n            employees are to communicate matching activities to appropriate officials and the\n            privacy office representative. There are also no policies or procedures which require\n            the privacy office representative to solicit responses on a continuous basis from\n            agency regions and program offices to determine the existence of matching programs.\n            As such, the agency representative was not aware that an EPA office was\n            participating in a matching program and the agency representative lacked needed\n            information to advise the DIB to meet to approve agency matching programs.\n            Subsequent to issuing our discussion document, the agency indicated that Office of\n            Technology Solutions representatives indicated that during phase I agency payment\n            files are to be compared against public databases that do not contain PII and,\n            therefore, computer matching requirements are not applicable. However, in phase 2 of\n            the DNP implementation (June 2014 and beyond), the U.S. Department of Treasury\n            will begin using restricted versions of these databases and the EPA would then need\n            matching agreements in place.\n\n            Without written procedures, the EPA may not be implementing matching programs\n            in accordance with federal requirements and agency employees may not be able to\n            properly identify and classify ongoing matching program activities. Further,\n            inaccurate information about agency matching programs may be reported to\n            management and OMB.\n\nMandated Contract Reviews Not Performed\n            The agency did not conduct required biennial contract reviews. An agency\n            representative stated the contract reviews were last performed in 2008. However,\n            the representative could not provide us with evidence of reviews done since 2008.\n            OMB Circular A-130, Appendix I, requires agencies to review every 2 years a\n            random sample of agency contracts to ensure they contain language to make the\n            provisions of the Privacy Act of 1974 binding on the contractor and the\n            employees. The EPA\xe2\x80\x99s Conducting Privacy On-site Reviews procedures state that\n            the agency representative will provide instructions to information management\n            officials and Liaison Privacy Officials (LPOs) for conducting Privacy Act reviews\n            as set forth in OMB Circular A-130, Appendix I.\n\n            The EPA has not developed an oversight process for ensuring that contract\n            reviews are performed biennially. Also, the EPA\xe2\x80\x99s Conducting Privacy On-site\n            Reviews procedure does not describe the details for meeting this OMB\n            requirement. By not reviewing a sample of these agency contracts, there is an\n            increased risk that contracts may omit the appropriate language that binds the\n            provisions of the Privacy Act to contractors. As a result, contractors may not be\n            aware that they are responsible for complying with the Privacy Act.\n\n14-P-0122                                                                                       6\n\x0cProcess for Maintaining PII System List Needs Improvement\n\n            The EPA maintains an inaccurate list of systems that contain sensitive PII. \n\n            OMB Memorandum 07-16 requires agencies to review their current holdings of all \n\n            PII and ensure, to the maximum extent practical, that such holdings are accurate, \n\n            relevant, timely and complete. The EPA relies on the program offices to provide \n\n            information on the agency\xe2\x80\x99s systems with sensitive PII. According to the agency, \n\n            there are no defined intervals as to when program offices are to furnish this to the \n\n            privacy office, but the process for updating this listing is done on an ad-hoc basis. \n\n            The agency uses this list of systems to report to OMB and agency management. \n\n            This report contained inaccuracies. \n\n\n            In our sample of six selected systems that contained sensitive PII, we found that \n\n            only three were valid systems. The agency is not reviewing and updating the list of \n\n            systems that contain sensitive PII on a regular basis to ensure accuracy. We\n\n            concluded that the agency updated the list of sensitive systems only as a result of \n\n            our audit inquiry. Further, agency policies or procedures do not describe the \n\n            LPO\xe2\x80\x99s responsibilities for updating the Privacy Office on the status of systems \n\n            with PII. Using an inaccurate list of systems with sensitive PII may lead OMB and \n\n            agency management to make decisions that may not be applicable to the agency\xe2\x80\x99s \n\n            needs. \n\n\xc2\xa0\nConclusion\n\xc2\xa0\n            The missing elements of the agency\xe2\x80\x99s privacy program could significantly degrade\n            the EPA\xe2\x80\x99s ability to safeguard PII. Agency employees may not be aware of\n            requirements for safeguarding PII, the EPA could potentially transmit PII without\n            obtaining written agreement, and the agency may have contractors who access PII\n            not informed on responsibilities for complying with privacy requirements. Without\n            additional PII safeguards, the agency may be at risk of PII being mistreated,\n            misused and/or exposed.\n\xc2\xa0\nRecommendations\n\xc2\xa0\n            We recommend that the Assistant Administrator for Environmental Information\n            and Chief Information Officer:\n\n                   1.\t Develop an implementing procedure for rules of behavior and\n                       consequences.\n\n                   2.\t Develop and implement updated agency matching program procedures\n                       that:\n\n                       a.\t Define roles and responsibilities for communicating matching\n                           activities to the Privacy Office and the DIB.\n\n\n14-P-0122                                                                                             7\n\x0c                      b.\t Require a written matching agreement before the agency engages in\n                          a matching program.\n\n                      c.\t Define the agency Privacy Officer\xe2\x80\x99s oversight responsibilities.\n\n                      d.\t Convene the DIB for matching programs, as needed.\n\n                      e.\t Obtain a written agreement for the current matching program, as\n                          needed.\n\n               3. \t Develop and implement an oversight process that describes in detail how\n                    the EPA is to perform and document mandated contract reviews.\n\n               4. \t Develop and implement a process for maintaining an accurate, up-to-date\n                    listing of systems that contain sensitive PII.\n\nAgency Comments and OIG Evaluation\n            The agency agreed with these recommendations and provided us with a response\n            to the draft report which included corrective actions with milestone dates. We\n            found the response to be acceptable and updated the report as appropriate.\n            Subsequent to issuing the draft report, we met with the agency to discuss the\n            report\xe2\x80\x99s findings and recommendations. As a result of those discussions and the\n            agency\xe2\x80\x99s response to the draft, we updated the report as appropriate.\n\n\n\n\n14-P-0122                                                                                     8\n\x0c                                   Chapter 3\n            Privacy Training Not Well Defined or Tracked\n\n            The EPA had not annually trained agency personnel on all prescribed topics.\n            The EPA also had not established an oversight process to ensure LPOs and all\n            personnel that access PII are trained. OMB requires agencies to initially train\n            employees on their privacy and security responsibilities before permitting them\n            access to information and information systems. Federal guidance also specifies\n            the topics for training personnel to reduce the possibility that PII will be accessed,\n            used or disclosed inappropriately. The agency incorporates its annual privacy\n            training into the annual information security training but the privacy training\n            portion does not contain all the topics as prescribed by the National Institute of\n            Standards and Technology (NIST). The EPA\xe2\x80\x99s process for tracking training lacks\n            steps to ensure that LPOs who miss training obtain training at a later date. Further,\n            the agency\xe2\x80\x99s processes lack oversight responsibilities to monitor whether LPOs\n            train their offices\xe2\x80\x99 employees. As a result, EPA employees were not trained on all\n            of the prescribed topics for their responsibilities for protecting PII. Senior agency\n            officials may not have the information necessary to take additional measures to\n            address weaknesses in the privacy training program due to the lack of oversight\n            for ensuring personnel are trained.\n\nPrivacy Training Topics Not Covered\n            The EPA had not covered all topics during its annual security awareness training\n            as prescribed by the NIST. OMB memorandum 07-16 requires agencies to\n            initially train employees on their privacy and security responsibilities before\n            permitting them access to information and information systems. It also requires\n            agencies to provide annual refresher training to ensure employees continue to\n            understand their responsibilities. NIST SP 800-122 states that organizations\n            should reduce the possibility that PII will be accessed, used or disclosed\n            inappropriately by training all individuals before being granted access to systems\n            containing PII.\n\n            The EPA incorporates privacy training within its annual Information Security\n            Awareness Training. However, this training contains only some of the training\n            topics specified by NIST. As a result, as shown by table 1, the EPA\xe2\x80\x99s privacy\n            training program only covers 50 percent of the topics prescribed by NIST.\n\n\n\n\n14-P-0122                                                                                            9\n\x0c            Table 1: Training topics and EPA training\n                                                                            Topic included In\n                       NIST-specified privacy training topics                 EPA training\n              Applicable privacy laws, regulations and policies                     N\n              Restrictions on data collection, storage and use of PII              Y\n              Roles and responsibilities for using and protecting PII              N\n              Appropriate disposal of PII                                          Y\n              Sanctions for misuse of PII                                          N\n              Recognition of a security or privacy incident involving PII          Y\n              Retention schedules for PII                                          N\n              Roles and responsibilities in responding to PII-related              Y\n              incidents and reporting.\n            Source: NIST topics and OIG analysis.\n\n            The agency is developing and updating its privacy training. However, the agency\n            had not evaluated the current privacy awareness training available on its online\n            training portal before it contracted to develop a new training program. When we\n            reviewed the plan progress in July 2013, the training program was approximately\n            9 percent complete with $9,722 expended. We estimate that the EPA will spend\n            approximately $100,000 to complete development of the new training program.\n\n            Without ensuring all privacy training topics are taught, the EPA faces the\n            possibility that agency employees are unaware of all the measures necessary to\n            protect sensitive PII before they are granted access to agency information and\n            information systems.\n\nPrivacy Training Not Tracked in Program Offices\n            The EPA does not have a formal process for tracking the training of agency\n            personnel. The EPA indicated that it has a system in place to track training for\n            their LPOs. In addition, the EPA indicated that the annual security awareness\n            training is tracked centrally, but the EPA has issues with some program offices\xe2\x80\x99\n            training and tracking the training of their staff. We requested verifications from\n            three LPOs regarding the training they provide to their office personnel before\n            they are given access to agency information systems. Two LPOs indicated they\n            did not have training records and appeared to not know the training requirement\n            when they responded that employees did not need training, even though the\n            system in question was identified as containing sensitive PII. One LPO did not\n            respond to our request for information. Our audit also disclosed that the EPA\n            lacks processes to verify whether LPOs responsible for training personnel within\n            their offices monitor the training status of personnel. The EPA\xe2\x80\x99s Privacy Policy\n            states that the LPOs are to ensure proper training for individuals in their area of\n            responsibility, including monitoring online training for employees. The policy\n            also designates the agency\xe2\x80\x99s Privacy Act Officer with providing oversight to\n            ensure the EPA requirements are met and with training personnel on the policy\xe2\x80\x99s\n            privacy requirements.\n\n14-P-0122                                                                                         10\n\x0c            The EPA offers specialized LPO training once per year and had not set up a\n            process to ensure LPOs that miss the training are trained. While the EPA uses\n            sign-in sheets to track training attendance, the agency neither uses the rosters to\n            identify who missed training nor provides supplemental training to the LPOs to\n            ensure they are kept current about their duties.\n\n            Once training is given, it is important to ensure the agency has processes in place\n            to track who completes the training and inform senior agency officials on the\n            status of the training program. The agency lacks necessary internal control\n            processes, including tracking the training status of employees and a mechanism to\n            inform management on the status of their office\xe2\x80\x99s training, to ensure the\n            effectiveness of provided training and to make decisions regarding whether\n            additional training is required to ensure employees are aware of their\n            responsibilities necessary to protect PII.\n\xc2\xa0\nConclusion\n\xc2\xa0\n            The EPA had not trained all individuals on all prescribed topics for safeguarding\n            PII. Ensuring that agency employees are aware of their responsibilities for\n            protecting PII is critical in order for the agency to ensure it is taking all steps\n            necessary to safeguard PII. Furthermore, the agency does not have an oversight\n            process to track the training of those individuals throughout the agency who have\n            a specialized role in providing privacy training. Without this process, the agency\n            does not have assurance that all individuals are trained in carrying out their duties\n            in support of ensuring that all users who access agency PII know the requirements\n            for safeguarding PII.\n\xc2\xa0\nRecommendations\n            We recommend that the Assistant Administrator for Environmental Information\n            and Chief Information Officer:\n\n               5. \t Establish and implement a process to train all individuals who access PII\n                    based on their roles and responsibilities. This process should include\n                    training on all PII topics as prescribed by NIST.\n\n               6.\t Continue with current privacy training plans and establish a process to\n                   fully document business cases and due diligence reviews and follow this\n                   process should future modifications be needed in the current privacy\n                   training contract.\n\n               7. \t Develop and implement an oversight process to monitor that LPOs and all\n                    individuals who access PII are trained on their responsibilities for\n                    protecting PII. The oversight process should include a method to inform\n                    senior agency officials on the status of their office\xe2\x80\x99s completion of\n                    training.\n\n14-P-0122                                                                                           11\n\x0cAgency Comments and OIG Evaluation\n            The agency agreed with recommendations 5 and 7 and provided high-level\n            corrective action plans with milestone dates which we found acceptable. The\n            agency initially did not agree with recommendation 6. The agency stated the\n            Agency Privacy Officer exercised due diligence by conducting market research\n            before entering into the current contract with the privacy training vendor.\n            However, the agency was not able to provide us evidence to support its assertion.\n            We subsequently met with agency representatives to discuss the finding and\n            related corrective action. Management agreed that steps could be taken to\n            strengthen its oversight processes and we updated the recommendation to be more\n            specific as to the corrective action needed to address the finding. The agency\n            concurred with the updated recommendation and provided us with a high-level\n            corrective action plan with completion dates, which we found acceptable.\n\n\n\n\n14-P-0122                                                                                       12\n\x0c                                  Status of Recommendations and \n\n                                    Potential Monetary Benefits \n\n\n\n                                                                                                                                      POTENTIAL MONETARY\n                                                      RECOMMENDATIONS                                                                  BENEFITS (in $000s)\n\n                                                                                                                          Planned\n Rec.     Page                                                                                                           Completion   Claimed    Agreed-To\n No.       No.                              Subject                              Status1        Action Official             Date      Amount      Amount\n\n  1         7     Develop an implementing procedure for rules of behavior          O       Assistant Administrator for    9/30/14\n                  and consequences.                                                        Environmental Information\n                                                                                             and Chief Information\n                                                                                                     Officer\n\n   2        7      Develop and implement updated agency matching                   O       Assistant Administrator for    6/30/14\n                   program procedures that:                                                Environmental Information\n                    a. Define roles and responsibilities for                                 and Chief Information\n                       communicating matching activities to the Privacy                              Officer\n                       Office and the DIB.\n                    b. Require a written matching agreement before the\n                       agency engages in a matching program.\n                    c. Define the agency Privacy Officer\xe2\x80\x99s oversight\n                       responsibilities.\n                    d. Convene the DIB for matching programs, as\n                       needed.\n                    e. Obtain a written agreement for the current\n                       matching program, as needed.\n   3        8     Develop and implement an oversight process that                  O       Assistant Administrator for    3/31/14\n                  describes in detail how the EPA is to perform and                        Environmental Information\n                  document mandated contract reviews.                                        and Chief Information\n                                                                                                     Officer\n\n   4        8     Develop and implement a process for maintaining an               O       Assistant Administrator for    6/30/14\n                  accurate, up-to-date listing of systems that contain                     Environmental Information\n                  sensitive PII.                                                             and Chief Information\n                                                                                                     Officer\n\n   5       11     Establish and implement a process to train all individuals       O       Assistant Administrator for    9/30/14\n                  who access PII based on their roles and responsibilities.                Environmental Information\n                  This process should include training on all PII topics as                  and Chief Information\n                  prescribed by NIST.                                                                Officer\n\n   6       11     Continue with current privacy training plans and establish a     O       Assistant Administrator for    3/31/14\n                  process to fully document business cases and due                         Environmental Information\n                  diligence reviews and follow this process should future                    and Chief Information\n                  modifications be needed in the current privacy training                            Officer\n                  contract.\n\n   7       11     Develop and implement an oversight process to monitor            O       Assistant Administrator for    9/30/14\n                  that LPOs and all individuals who access PII are trained on              Environmental Information\n                  their responsibilities for protecting PII. The oversight                   and Chief Information\n                  process should include a method to inform senior agency                            Officer\n                  officials on the status of their office\xe2\x80\x99s completion of\n                  training.\n\n\nO = recommendation is open with agreed-to corrective actions pending\nC = recommendation is closed with all agreed-to actions completed\nU = recommendation is unresolved with resolution efforts in progress\n\n\n\n\n14-P-0122                                                                                                                                               13\n\x0c                                                                                  Appendix A\n\n                      Agency Response to Draft Report\n                 UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                           WASHINGTON, D.C. 20460\n\n\n                                     NOV \'7 2013\n                     OFFICE OF ENVIRONMENTAL INFORMATION\n\nMEMORANDUM\n\nSUBJECT:           Response to Office of Inspector General Draft Report No. OA-FY13-\n                   0082 "EPA Needs to Improve Processes for Safeguarding Personally\n                   Identifiable Information," dated August 19, 2013\n\nFROM:                                            /)\n                                           J:\xc2\xb7\nTO:                Arthur A. Elkins, Jr.\n                   Inspector General\n\nThank you for the opportunity to respond to the issues and recommendations described in the\ndraft audit report.\n\nThe Office of Environmental Information\'s (OEI) response to the audit\'s findings and\nrecommendations is attached. For the recommendations with which we agree, we provide high-\nlevel intended corrective actions and estimated completion dates. For the recommendations with\nwhich OEI does not agree, we explain our position and provide proposed alternatives to the\nrecommendations, as appropriate.\n\nEPA\'s National Privacy Program, established in 2007, is striving to ensure that EPA is in\ncompliance with statutory requirements, guidance and standards issued by the Office of\nManagement and Budget and the National Institute of Standards and Technology. The Program\nis currently revising the Agency\'s Privacy Policy to address emerging privacy areas such as\nsocial media and cloud computing, and to address privacy needs not identified when the initial\npolicy was issued. The revised Policy is scheduled to be issued in Q2 FY 2014. The Program\nalso is engaged in developing a five-year strategic plan to guide the Agency in meeting its\nresponsibilities to ensure Personally Identifiable Information (PII) is adequately protected.\n\n\n\n\n14-P-0122                                                                                        14\n\x0cOEI appreciates this evaluation by the Office of Inspector General (OIG) and the opportunity to\naddress each finding and recommended action. We are committed to ensuring full compliance\nwith federal privacy requirements for protecting Agency PII. If you have questions regarding this\nresponse, please contact Judy Hutt, the Agency Privacy Officer, in the Office of Information\nCollection, Collection Strategies Division, FOIA and Privacy Branch at 202-566-1668.\n\nAttachment\n\ncc: \t   Vaughn Noga\n        Andrew Battin\n        Jeff Wells\n        John Moses\n        Deborah Williams\n        Judy Hutt\n        Scott Dockum\n        Brenda Young\n\n\n\n\n14-P-0122                                                                                           15\n\x0cAttachment 1\n\nResponse to OIG Findings and Recommendations\n\nChapter 2 - EPA\'s Documented Processes for Protecting PII Need Improvement\n\nOIG Recommendation 1: Finalize and implement a rules and consequences policy related\nto safeguarding PII.\n\nCorrective Action 1: OEI agrees and will develop implementing procedures for rules of\nbehavior and consequences by September 30, 2014. However, we believe we do have a formal\nrules and consequences policy. (See Agency Privacy Policy, Section 6.)\n\nOIG Recommendation 2: Develop and implement updated Agency "matching program "\npolicies and procedures.\n\nCorrective Action 2: OEI agrees that implementing procedures for a matching program are\nneeded and these will be developed. The implementing procedures are planned for completion by\nJune 30, 2014, and will outline the steps required to ensure compliance with the Privacy Act\nwhen establishing a matching program. OEI will also include "matching agreements" as a topic\nin the privacy trainings under development to ensure that key privacy personnel, including\nmanagers, are aware of this requirement.\n\nDiscussion of OIG Finding 2: Lack of Oversight Over a Matching Program.\nOEI believes the report is not accurate in its supporting narrative. The OIG states, "EPA has not\ncreated written policies or procedures that require a written matching agreement before the\nAgency engages in a matching program." EPA\'s Privacy Policy addresses the matching program\nrequirements for a written matching agreement, along with the requirement to establish a Data\nIntegrity Board (DIB) to oversee any matching activity (see pp. 7, 14 and 15). As we stated\npreviously, the Privacy Act requirements for a matching agreement did not apply to Phase I of\nthe "Do Not Pay" data sharing activity referenced in the report. A matching agreement will be in\nplace to support Phase II of the "Do Not Pay" data sharing activity which will commence in CY\n2014.\n\nOIG Recommendation 3: Develop and implement an oversight process that describes in\ndetail how the EPA is to perform and document mandated contract reviews.\n\nCorrective Action 3: OEI will develop an oversight process in Q2 of FY 2014 to ensure\ncontract reviews are performed every two years. OEI is currently collaborating with the Office of\nAdministration Resources (OARM) to develop a process for OARM to conduct privacy reviews\nof contracts and report the results to the Privacy Program. The biennial review process will be\ndocumented to guide future reviews.\n\n\n\n\n14-P-0122                                                                                           16\n\x0cDiscussion of OIG Finding 3: Contract Reviews Not Performed.\nThe draft report states that OEI could not provide the 010 with either the name of the individual\nwho performed the previous reviews or evidence they were conducted. OEI provided the names\nof the individuals who performed the contract reviews, along with documentation, but was\nunable to locate the additional supporting evidence required by the OIG.\n\nOIG Recommendation 4: Develop and implement a process for maintaining an accurate,\nup-to-date listing of systems that contain sensitive PII.\n\nCorrective Action 4: OEI will develop a process for regularly requesting inventory updates\nfrom Liaison Privacy Officials (LPOs) and posting the updates to the privacy website. OEI plans\nto complete this action by June 30, 2014. In addition, OEI will revise its Privacy Policy to\ndescribe the LPO\'s responsibility for reporting on the status of PII systems in their organizations\nand include this requirement in the privacy training currently being developed for Agency LPOs.\n\nDiscussion of OIG Finding 4: Data Used for Official Reporting Not Always U p to Date. OEI\ndisagrees with the statement that an inaccurate listing of systems is used to report to the Chief\nInformation Officer (CIO) and OMB. The Privacy Program regularly updates the list of systems\nthat contain sensitive PII based on information provided by LPOs on the status of these systems.\nAt the time the OIG reviewed the listing of sensitive PII systems posted on the Privacy intranet\nsite, the master list of sensitive PII systems was being reconciled with a recent data call on\nsensitive PII systems initiated by the Senior Agency Information Security Officer (SAISO).\n\nChapter 3- Privacy Training Not Well-Defined or Tracked\n\nOIG Recommendation 5: Establish and implement a process to train all individuals who\naccess Pll based on their roles and responsibilities. This process should include training on\nall Pll topics as prescribed by NIST.\n\nCorrective Action 5: The Privacy Program is developing online role-based training courses for\nkey privacy personnel and mandatory general awareness training for all employees, which will\nbe available in Q4 FY 2014. Online trainings for personnel who access PII will cover all PII\ntopics as prescribed by the National Institute of Standards and Technology.\n\nDiscussion of OIG Finding 5: Privacy Training Topics Not Covered.\nThe OIG report states current annual information security training, which has a privacy\ncomponent, does not cover all the privacy training topics prescribed by the National Institute of\nStandards and Technology. Privacy trainings conducted by the Agency Privacy Officer, that\naugment the annual information security training, meet the requirements.\n\nOIG Recommendation 6: Establish and implement a process to conduct due diligence\nreviews of available training before the Agency enters into contract s to develop further\nprivacy training.\n\nCorrective Action 6: OEI disagrees with this finding. The Agency Privacy Officer exercised\ndue diligence by conducting market research before entering into the current contract with the\n\n\n14-P-0122                                                                                             17\n\x0cprivacy training vendor. The Agency Privacy Officer was involved in the review and testing of\nthe training identified in the report as "the training on the on line training portal" (i.e., Skillport)\nand determined the training was not sufficient to meet Privacy Program needs. This evaluation\nprocess will continue.\n\nOIG Recommendation 7: Develop and implement an oversight process to monitor that LPOs\nand all individuals who access PII are trained on their responsibilities for protecting PI! The\noversight process should include a method to inform senior Agency officials on the status of their\noffice \'s completion of training.\n\nCorrective Action 7: Online privacy trainings will be offered and tracked via Skillport, the\nAgency\'s online training portal. The Agency Privacy Officer, LPOs and EPA managers will be\nable to track who has taken the training and provide training opportunities for all who require it.\nThe role-based training for LPOs is scheduled to be available in Q1 FY 2014. The general\nawareness training is expected to be available later in FY 2014.\n\n\n\n\n14-P-0122                                                                                                  18\n\x0cAttachment 2\n\nAgency\xe2\x80\x99s Response To Report Recommendations\n\nAgreement Recommendation\xc2\xa0                      High-Level lntended               Estimated Completion\nNo.                                            Corrective Action(s)\xc2\xa0             by Quarter and FY\xc2\xa0\n\n1\xc2\xa0          Finalize and implement a rules     The Agency agrees to develop      4th Quarter FY 2014\n            and consequences policy related    implementing procedures for       (9/30/14)\xc2\xa0\n            to safeguarding PH.\xc2\xa0               rules of behavior and\n                                               consequences.\xc2\xa0\n\n2\xc2\xa0          Develop and implement updated The implementing procedures               3rd Quarter FY 2014\n            Agency matching program              will outline the steps required to (6/30/14)\xc2\xa0\n            policies and procedures that:\xc2\xa0       ensure compliance with the\n            a. Define roles and responsibilities Privacy Act when establishing a\n            for communicating matching           matching program. The Agency\n            activities to the APO and the DIB. will also include "matching\n            b. Require a written matching        agreements" as a topic in the\n            agreement before the Agency          privacy trainings under\n            engages in a matching program.\xc2\xa0 development to ensure that key\n            c. Define the APO\'s oversight        privacy personnel, including\n            responsibilities.\xc2\xa0                   managers, are aware of this\n            d. Convene the DIB for matching requirement.\xc2\xa0\n            programs, as needed.\xc2\xa0\n            e. Obtain a written agreement for\n            the current matching program, as\n            needed.\xc2\xa0\n\n3\xc2\xa0          Develop and implement an            The Agency will develop an      2nd Quarter FY 2014\n            oversight process that describes in oversight process by March 31,\xc2\xa0 (3/31/14)\xc2\xa0\n            detail how the EPA is to perform 2014, to ensure contract reviews\n            and document mandated contract are performed every two years.\xc2\xa0\n            reviews.\xc2\xa0\n\n\n\n4\xc2\xa0          Develop and implement a process    The Agency will develop a          3rd Quarter FY 2014\n            for maintaining an accurate, up-   process for regularly requesting (6/30/14)\xc2\xa0\n            to-date listing of systems that    inventory updates from LPOs and\n            contain sensitive PII.\xc2\xa0            posting the updates to the privacy\n                                               website.\xc2\xa0\n\n\n\n\n14-P-0122                                                                                                 19\n\x0c5\xc2\xa0           Establish and implement a process Online trainings for personnel     4th Quarter FY 2014\n             to train all individuals who access who access PH will cover all PII (9/30/14)\xc2\xa0\n             PII based on their roles and        topics as prescribed by the\n             responsibilities. This process      National Institute of Standards\n             should include training on all PII and Technology.\xc2\xa0\n             topics as prescribed by NIST.\xc2\xa0\n\n\n7            Develop and implement an               Online privacy trainings will be 4th\xc2\xa0Quarter\xc2\xa0FY\xc2\xa02014\xc2\xa0\n             oversight process to monitor that      offered and tracked via Skillport, (9/30/14)\n             LPOs and all individuals who           the Agency\xe2\x80\x99s online training\n             access PII are trained on their        portal.\n             responsibilities for protecting PII.\n             The oversight process should\n             include a method to inform senior\n             Agency officials on the status of\n             their office\xe2\x80\x99s completion of\n             training.\n\nDisagreements\n No.     Recommendation                             Agency                           Proposed\n                                                    Explanation/Response             Alternative\n 6          Establish\xc2\xa0and\xc2\xa0implement\xc2\xa0a\xc2\xa0process\xc2\xa0 The\xc2\xa0Agency\xc2\xa0Privacy\xc2\xa0Officer\xc2\xa0          EPA\xc2\xa0will\xc2\xa0continue\xc2\xa0with\xc2\xa0\n            to\xc2\xa0conduct\xc2\xa0due\xc2\xa0diligence\xc2\xa0reviews\xc2\xa0 exercised\xc2\xa0due\xc2\xa0diligence by            the\xc2\xa0current training\n            of\xc2\xa0available\xc2\xa0training\xc2\xa0before\xc2\xa0the\xc2\xa0  conducting market research before plans for privacy\n            Agency\xc2\xa0enters\xc2\xa0into contracts to    entering into the current contract training in Skillport, the\n            develop further privacy training.\xc2\xa0 with the privacy training vendor. Agency\'s online\n                                               The Agency Privacy Officer was training portal.\xc2\xa0\n                                               involved in the review and testing\n                                               of the training identified in the\n                                               report as "the training on the\n                                               online training portal" (i.e., Skill\n                                               port) and determined the training\n                                               was not sufficient to meet Privacy\n                                               Program needs.\xc2\xa0\n\n\n\n\n14-P-0122                                                                                                   20\n\x0c                                                                                          Appendix B\n\nAttachment 2\n\n                         Revised Agency Response to\n                          Report Recommendations\nAgreements\n     No.             Recommendation                  High-Level Intended         Estimated Completion\n                                                     Corrective Action(s)         by Quarter and FY\n\n 1          Finalize and implement a rules and      The Agency agrees to         4th Quarter FY 2014\n            consequences policy related to          develop implementing         (9/30/14)\n            safeguarding PII.                       procedures for rules of\n                                                    behavior and\n                                                    consequences.\n 2          Develop and implement updated           The implementing             3rd Quarter FY 2014\n            Agency matching program policies        procedures will outline      (6/30/14)\n            and procedures that:                    the steps required to\n            a. Define roles and responsibilities    ensure compliance with\n               for communicating matching           the Privacy Act when\n               activities to the APO and the DIB.   establishing a matching\n                                                    program. The Agency\n            b. Require a written matching\n                                                    will also include\n               agreement before the Agency          \xe2\x80\x9cmatching agreements\xe2\x80\x9d\n               engages in a matching program.       as a topic in the privacy\n            c. Define the APO\xe2\x80\x99s oversight           trainings under\n               responsibilities.                    development to ensure\n            d. Convene the DIB for matching         that key privacy\n               programs, as needed.                 personnel, including\n                                                    managers, are aware of\n            e. Obtain a written agreement for the\n                                                    this requirement.\n               current matching program, as\n               needed.\n\n 3          Develop and implement an oversight      The Agency will develop      2nd Quarter FY 2014\n            process that describes in detail how    an oversight process by      (3/31/14)\n            the EPA is to perform and document      March 31, 2014, to\n            mandated contract reviews.              ensure contract reviews\n                                                    are performed every two\n                                                    years.\n 4          Develop and implement a process for     The Agency will develop      3rd Quarter FY 2014\n            maintaining an accurate, up-to-date     a process for regularly      (6/30/14)\n            listing of systems that contain         requesting inventory\n            sensitive PII.                          updates from LPOs and\n                                                    posting the updates to the\n                                                    privacy website.\n\n\n\n\n14-P-0122                                                                                               21\n\x0c     No.              Recommendation                    High-Level Intended         Estimated Completion\n                                                        Corrective Action(s)         by Quarter and FY\n\n 5          Establish and implement a process to       Online trainings for         4th Quarter FY 2014\n            train all individuals who access PII       personnel who access PII     (9/30/14)\n            based on their roles and                   will cover all PII topics\n            responsibilities. This process should      as prescribed by the\n            include training on all PII topics as      National Institute of\n            prescribed by NIST.                        Standards and\n                                                       Technology.\n 6          Continue with current privacy              The Agency will develop      2nd Quarter FY2014\n            training plans and establish a process     a process to document        (3/31/14)\n            to fully document business cases and       business cases and due\n            due diligence reviews and follow this      diligence reviews should\n            process should future modifications        future trainings be\n            be needed in the current privacy           required.\n            training contract.\n\n 7          Develop and implement an oversight         Online privacy trainings     4th Quarter FY 2014\n            process to monitor that LPOs and all       will be offered and          (9/30/14)\n            individuals who access PII are trained     tracked via Skillport, the\n            on their responsibilities for protecting   Agency\xe2\x80\x99s online training\n            PII. The oversight process should          portal.\n            include a method to inform senior\n            Agency officials on the status of their\n            office\xe2\x80\x99s completion of training.\n\n\n\n\n14-P-0122                                                                                                  22\n\x0c                                                                                 Appendix C\n\n                                     Distribution\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nAgency Follow-Up Official (the CFO)\nAgency Follow-Up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nPrincipal Deputy Assistant Administrator for Environmental Information\nDirector, Office of Information Collection, Office of Environmental Information\nDeputy Director, Office of Information Collection, Office of Environmental Information\nAudit Follow-Up Coordinator, Office Environmental Information\n\n\n\n\n14-P-0122                                                                                     23\n\x0c'